This is something I usually take care of by throttling the relevant event listeners (in an AJAXed site) but the way this article puts it makes me wonder if this is as easy as globally disabling double clicks on links and buttons:
document.addEventListener('dblclick', event => {
if (event.target.closest('a, input, button'))
event.preventDefault()
})
Would be careful with this (if it works), double clicking can be used to select text, which might turn out to be annoying when disabled in non-button inputs - certainly on mobile I use it a lot.
The proposed solution (an HTML attribute to 'allow' double-click submissions of <form>s) is backwards from how the standard would be updated.
The proposal should instead be for an attribute that prevents double-clicks, because that way browsers that have not implemented it still behave correctly. Additionally, you don't "break userspace" for millions of forms online that no longer work as the developer intended.
However, I'm skeptical that we need to encode this at all into the standard, since setting the `disabled` attribute on the submission button after submission is pretty much test case #0 of any serious online form development.
Amusingly, things have gotten a lot better since 2015 when this was written. That blob of JQuery is now replaced with binding the `disabled` attribute to `isSubmitted` state on your React-based webform. An interesting glimpse into the web-that-used-to-be.
Except that for the overwhelming majority (admittedly not literally all) of those forms, no-double-click is how the developer intended them to work. If anything, I call [citation needed] on the implication that there is any <form> anywhere that actually expects or relies on double-clicks producing two different HTTP requests.
If you want a better server-side solution, you could try employing mandatory idempotency tokens in the request payload. The concept is simple: either have the server give the client an idempotency token as part of the page load, or have the client request one at some point, or have it be something that can be generated on the client side (nonce style) and send it with the request. The server can then validate, using some strongly consistent system, that it has not received any requests in a certain window of time with that token. (Or, possibly, react with the existing response.)
This has an additional benefit that even methods like PUT do not: it works no matter how many layers of your stack might have retry behavior (properly or improperly) and enables safe retry even when you can’t be sure if the request went through or not. The primary downside is that it introduces a single point of failure, though you could theoretically shard it by some property of the request such as the session key/user id/IP address. Still desirable if you have something you really don’t want to repeat, like a transaction. (Probably would be wise to also make those multiple stage, but nonetheless.)
Goes without saying you should definitely still mitigate this on the client side by updating the UI state if JavaScript is available.
AFAIK typical CSRF token implementations allow for reuse, and unlike an idempotency token necessarily need to be generated by a trusted server. They solve a different problem.
If the client-side solution is so simple, what's the problem? There are many things on the web where, if given a clean slate, it would be nice to change the default behavior. This doesn't seem to rise to the top of that list.
I've actually heard people verbally use the word "doubleclick" to mean explore. For example, someone in a meeting might mention some idea. Then my colleague would say "let's doubleclick on that for a minute".
Where I am people use "doubleclick" and "tripleclick" as nouns to represent specific levels of detail. As in, "I think we've got a good story for the doubleclick but I want to hear more about the tripleclick on Topic X."
Interestingly, the only persons I've ever seen doubleclicking in the web are from my parent generation (>60, >70 years old).
Also since 2015 the mobile adaption increased more and more. On mobile devices, the "double tap" concept never was very important, I think (at least not in the web context).
Therefore my feeling is that this issue is mostly a thing from the past.
Nevertheless I sometimes see forms which implement this "disable after submission" principle. Especially when it's about money, such as when booking a hotel or flight, etc.
26 comments
[ 0.24 ms ] story [ 57.5 ms ] threadI agree this would be a more sensible behavior for form submission, but given that ship has long since sailed: https://xkcd.com/1172/
The proposal should instead be for an attribute that prevents double-clicks, because that way browsers that have not implemented it still behave correctly. Additionally, you don't "break userspace" for millions of forms online that no longer work as the developer intended.
However, I'm skeptical that we need to encode this at all into the standard, since setting the `disabled` attribute on the submission button after submission is pretty much test case #0 of any serious online form development.
Amusingly, things have gotten a lot better since 2015 when this was written. That blob of JQuery is now replaced with binding the `disabled` attribute to `isSubmitted` state on your React-based webform. An interesting glimpse into the web-that-used-to-be.
`<button onclick="this.disabled=true">button</button>` worked in the 90s.
Sadly, it doesn't seem browser vendors are very interested to support this.
I've seen new users in particular double click to open.
Then, since the machine is so busy, nothing happens for a bit.
Concerned, the user then double clicks again. At this point they start to despair or curse.
Literally only to open a file from finder, which I use in column mode so navigating is single clicking.
This has an additional benefit that even methods like PUT do not: it works no matter how many layers of your stack might have retry behavior (properly or improperly) and enables safe retry even when you can’t be sure if the request went through or not. The primary downside is that it introduces a single point of failure, though you could theoretically shard it by some property of the request such as the session key/user id/IP address. Still desirable if you have something you really don’t want to repeat, like a transaction. (Probably would be wise to also make those multiple stage, but nonetheless.)
Goes without saying you should definitely still mitigate this on the client side by updating the UI state if JavaScript is available.
Office Space became a lot less funny when I started living it.
Unless you're a submarine, surface isn't a verb!
https://www.google.com/search?q="surfaced+a+problem"
Where I am people use "doubleclick" and "tripleclick" as nouns to represent specific levels of detail. As in, "I think we've got a good story for the doubleclick but I want to hear more about the tripleclick on Topic X."
Also since 2015 the mobile adaption increased more and more. On mobile devices, the "double tap" concept never was very important, I think (at least not in the web context).
Therefore my feeling is that this issue is mostly a thing from the past.
Nevertheless I sometimes see forms which implement this "disable after submission" principle. Especially when it's about money, such as when booking a hotel or flight, etc.